The risk of hacking is higher than ever.
Soon, the penalties for being hacked will be too.
Thursday 22 February 2018.
If you run a business, NFP or government agency, it’s a big day, because that’s when the Privacy Act 1988 amendment which includes a whole raft of new data breach rules and fines will start being enforced. It means that cyber security is no longer just a tick box on your IT checklist – it’s a business imperative.
What’s changing, and who’s affected?
Under something called the Notifiable Data Breach scheme (NDB), a specific list of data breach rules will be added to the Privacy Act. These changes mean organisations and individuals can be hit with big fines and even more costly reputational damage if their cyber security is compromised.
The NDB scheme applies to all organisations referred to as APP entities, including:
- All private sector and not-for-profit organisations (turnover >$3 million)
- Most Australian government agencies
- All private health providers
- All credit providers and reporting bodies
- Holders of tax file number information
What exactly is a data breach, and what are the penalties?
A data breach is when personal information, held by your organisation, is lost or subjected to unauthorised access or disclosure, which includes:
- the loss or theft of a device containing personal information
- a successful hacking attack on a database containing personal information
- any instance where personal information is mistakenly provided to the wrong person.
In the event of a data breach, the new legislation requires you to:
- notify the Office of the Australian Information Commissioner (OAIC)
- send a statement, addressing the data breach, to the OAIC and affected individuals
- publish a copy of the statement on your website*
- take reasonable steps to publicise the statement on your website.*
Failure to comply could lead to hefty civil penalties (up to $360,000 for individuals and $1.8 million for organisations), not to mention potentially irrevocable damage to your reputation.
What do you need to do?
- Confirm that the legislation applies to you.
- Assuming it does, review and assess your cyber security policy, processes and technologies.
- Identify and fix any gaps in your cyber security systems.
Or you can take the stress and uncertainty out of your cyber security situation, and allow us to review your cyber security setup and ensure you’re ready for the new legislation.
* Where it is not practical for you to notify all affected individuals.
Notifiable Data Breaches. Office of the Australian Information Commissioner
Guide to securing personal information. Office of the Australian Information Commissioner
Australia finally has mandatory data breach notification. IT News Australia
Preparing for the Notifiable Data Breaches scheme webinar. Office of the Australian Information Commissioner